According to a recently released opinion letter by the DOL’s Equal Employment Opportunity Commission (EEOC), employers must ensure that strict confidentiality and separation is provided to personnel records containing personal medical information, and that occupational health information must not be intermingled in an electronic health record (EHR) of an individual patient. Given that the Health Insurance Portability and Accountability Act (HIPAA) normally exempts employment records from the scope of its privacy and security requirements, why should healthcare providers and health plans be concerned by this EEOC opinion?
There are two important reasons. First, healthcare providers and health plans are themselves employers and should be concerned with maintaining strict confidentiality of medical information maintained in their employees’ personnel files. Second, while HIPAA exempts “employment records” from application of the HIPAA Privacy and Security Standards applied to protected health information (PHI), the EEOC states that personal health information maintained for medical purposes (e.g., PHI) and occupational (or work-related) medical information should not be maintained in a single EHR, and the latter information clearly is subject to strict confidentiality requirements under both the Americans with Disabilities Act (ADA), and the Genetic Information Nondiscrimination Act (GINA). Therefore, providers, health plans and employers should adopt appropriate restrictions and separation with respect to EHRs that contain both types of health information.
The question often is asked by employers, “do HIPAA’s privacy and security regulations apply to the medical information in our Human Resources Department personnel files?” As far as it goes, the answer under HIPAA is “no.” Employment records held by a covered entity (or by an employer) are excluded from the definition of PHI under 45 C.F.R. § 164.103. (Note, however, that enrollment, treatment, payment and related records of an employer-sponsored health plan are deemed to be PHI under HIPAA, if individually identifiable.) However, as the recent EEOC opinion letter states, the prohibitions under ADA and GINA with respect to asking or inquiring about certain aspects of the health status of an employee or potential hire apply equally to paper and electronic health records as they do to verbal questions asked in an interview.
The opinion letter, written by the EEOC Office of Legal Counsel, states, “[a]ccessing an individual’s medical records directly is no different from asking an individual for information about current health status, which the Commission considers a request for [disability or] genetic information where it is likely to result in the acquisition of such information, particularly family medical history.” Therefore, employers must respect the confidentiality of all medical information maintained for employment purposes, whether an EHR or paper medical record, and be careful when seeking authorization from employees to access their EHR or other medical records for work-related purposes. If done in an inappropriate way related to obtaining disability or genetic information regarding a job applicant or current employee, such access can run afoul of the confidentiality and nondiscrimination provisions under ADA and GINA. The EEOC opinion letter makes clear that employers must ensure that personal health information about applicants or employees cannot be accessed, except under the circumstances and to the extent permitted under ADA and GINA.
The result of the EEOC opinion effectively requires that employers should, if not already doing so, take steps to ensure that: (1) various types of medical information about employees sought or maintained for purposes of disability determinations, work-related functions or accommodations, FMLA and other types of medical leave, are obtained lawfully in compliance with ADA, GINA and state confidentiality and nondiscrimination laws, and (2) medical information contained in employment files is segregated into confidential areas (whether paper or electronic) with access rights restricted only to such lawful purposes, as opposed to general access rights typically afforded to a wider range of management and human resources personnel.
The EEOC opinion letter also states that when personal health information (read: PHI) is maintained together with occupational health information in a single EHR or paper medical record, particularly one that allows someone with access to the EHR or paper record to view any information therein without restriction, a real possibility of a violation of ADA or GINA exists if the purpose of such access is prohibited under such laws. Thus, healthcare providers and health plans, both in their capacity as HIPAA-covered entities and in their capacity as employers, need to ensure appropriate separation and access controls exist with respect to both PHI and employment/occupational health information maintained in paper or electronic form. Failure to do so could result in potential liability under ADA and GINA, as well as the more typical risk of a “breach” under HIPAA’s requirement to notify patients when their medical records have been accessed or acquired in an unauthorized, or illegal, manner.